Contributed 7/28/00 by Evan Bryant Employees Retirement System of Texas (ERS) Review of Business Resumption Plans Audit Program Project No. 2000-01 Audit Objectives 1) Determine if a business resumption plan exists and was developed using a sound methodology that includes the following elements: a) Identification and prioritization of the activities that are essential to continue functioning. b) The plan is based upon a business impact analysis that considers the impact of the loss of essential functions. c) Operations managers and key employees participated in the development of the plan. d) The plan identifies the resources that will likely be needed for recovery and the location of their availability. e) The plan is simple and easily understood so that it will be effective when it is needed. f) The plan is realistic in its assumptions. 2) Determine if information backup procedures are sufficient to allow for recovery of critical data. 3) Determine if a test plan exists and to what extent the business resumption plan has been tested. 4) Determine if resources have been made available to maintain the business resumption plan and keep it current. Audit Preparation 1) Obtain and review the existing business resumption plan. 2) Obtain and review plans for business resumption testing and/or documentation of actual tests. Per DIR, IS disaster recovery plans should be updated and tested annually. 3) Obtain and review the existing business impact analysis. 4) Gather background information to provide criteria and guidance in the preparation and evaluation of business resumption plans. 5) Determine if copies of the plan are safeguarded by off-site storage. Steps to Achieve Audit Objectives 1) Gain an understanding of the methodology used to develop the existing business resumption plan. Who participated in the development effort? 2) Gain an understanding of the methodology used to develop the existing business impact analysis. 3) Determine if recommendations made by the external firm who produced the business impact analysis have been implemented or otherwise addressed. 4) Have resources been allocated to prevent the business resumption plan from becoming outdated and possibly ineffective? a) Determine if the plan is dated each time that it is revised so that the most current version will be used if needed. b) Determine if the plan has been updated within the past 12 months. 5) Determine all of the locations where the business resumption plan is stored. Are there a variety of locations to ensure that the plan will survive disasters and will be available to those that need them? 6) Review information backup procedures in general. The availability of backup data could be critical to minimizing the time needed for recovery. 7) Interview functional area managers or key employees to determine their understanding of the business resumption plan. Do they have a clear understanding of their role in working towards the resumption of normal operations? 8) Does the business resumption plan include provisions for: a) Personnel i) Have key employees seen the plan and are all employees aware that there is such a plan? Objective 3 ii) Have employees been told their specific roles and responsibilities if the business resumption plan is put into effect? Objective 3 iii) Does the business resumption plan include contact information for key employees, especially after hours? Objective 3 iv) Does the business resumption plan include provisions for people with special needs? Objective 3 v) Does the business resumption plan have a provision for replacement staff when necessary? Objective 3 b) Building, Utilities and Transportation i) Does the business resumption plan have a provision for having a building engineer inspect the building and facilities soon after a disaster so that damage can be identified and repaired to make the premises safe for the return of employees as soon as possible? Objective 4 ii) Does the business resumption plan consider the need for alternative shelter, if needed? Alternatives in the immediate area may be affected by the same disaster. Objective 4 iii) Review any agreements for use of backup facilities. Objective 4 iv) Verify that the backup facilities are adequate based on projected needs (telecommunications, utilities, etc.). Will the site be secure? Objective 4 v) Does the business resumption plan consider the failure of electrical power, natural gas, toxic chemical containers, and pipes? Objective 4 vi) Are building safety features regularly inspected and tested? Objective 7 vii) Does the plan consider the disruption of transportation systems? This could affect the ability of employees to report to work or return home. It could also affect the ability of vendors to provide the goods needed in the recovery effort. c) Information Technology i) Determine if the plan reflects the current IT environment. ii) Determine if the plan includes prioritization of critical applications and systems. iii) Determine if the plan includes time requirements for recovery/availablity of each critical system, and that they are reasonable. iv) Does the business resumption plan include arrangements for emergency telecommunications? v) Is there a plan for alternate means of data transmission if the computer network is interrupted? Has the security of alternate methods been considered? vi) Determine if a testing schedule exists and is adequate (at least annually). Verify the date of the last test. Determine if weaknesses identified in the last tests were corrected. d) Administrative Procedures i) Does the business resumption plan cover administrative and management aspects in addition to operations? Is there a management plan to maintain operations if the building is severely damaged or if access to the building is denied or limited for an extended period of time? ii) Is there a designated emergency operations center where incident management teams can coordinate response and recovery? iii) Determine if the business resumption plan covers procedures for disaster declaration, general shutdown and migration of operations to the backup facility. iv) Have essential records been identified? Do we have a duplicate set of essential records stored in a secure location? v) To facilitate retrieval, are essential records separated from those that will not be needed immediately? vi) Does the business resumption plan include the names and numbers of suppliers of essential equipment and other material? vii) Does the business resumption plan include provisions for the approval to expend funds that were not budgeted for the period? Recovery may be costly. viii) Has executive management assigned the necessary resources for plan development, concurred with the selection of essential activities and priority for recovery, agreed to back-up arrangements and the costs involved, and are prepared to authorize activation of the plan should the need arise.